Our implementation is fairly secure. However the server has a large attack surface. At the back we have an Apache server with PHP and SVN. The Apache server implementation can be exploited if permissions are not set correctly. In our case the SVN repository was not protected so it was exploited.
Having a webpage with PHP and a SQL database also gives a malicious attacker the opportunity to use common methods such as SQL-Injection and XSS to exploit our site if not protected well enough.
In the end we have learned that we need to pay attention to every detail and look at all the entrypoints an attacker has and make sure they are protected.